key auth ok one way, not the other - SSH

This is a discussion on key auth ok one way, not the other - SSH ; g'day all; I'm trying to get public key authentication working between two linux machines - 2.6.8 kernel -- 2.4.22 kernel. Both machines are running OpenSSH 3.9.p1. I can ssh to the 2.4.22 machine and get authenticated using the keys. If ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: key auth ok one way, not the other

  1. key auth ok one way, not the other

    g'day all;

    I'm trying to get public key authentication working between two linux
    machines - 2.6.8 kernel -- 2.4.22 kernel.

    Both machines are running OpenSSH 3.9.p1. I can ssh to the 2.4.22 machine
    and get authenticated using the keys. If I try to go the 2.6.8 machine I
    get publickey failed. I can login after enabling password auth. Here is
    the '-v -v' debug log;

    wcattell@arwen .ssh]$ ssh -v -v xxx.xxxx.xxx
    OpenSSH_3.9p1, OpenSSL 0.9.7b 10 Apr 2003
    debug1: Reading configuration data /usr/local/etc/ssh_config
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to xxx.xxxx.xxx port 22.
    debug1: Connection established.
    debug1: identity file /home/wcattell/.ssh/identity type -1
    debug2: key_type_from_name: unknown key type '-----BEGIN'
    debug2: key_type_from_name: unknown key type 'Proc-Type:'
    debug2: key_type_from_name: unknown key type 'DEK-Info:'
    debug2: key_type_from_name: unknown key type '-----END'
    debug1: identity file /home/wcattell/.ssh/id_rsa type 1
    debug1: identity file /home/wcattell/.ssh/id_dsa type -1
    debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
    debug1: match: OpenSSH_3.9p1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.9p1
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 136/256
    debug2: bits set: 498/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'xxx.xxxx.xxx' is known and matches the RSA host key.
    debug1: Found key in /home/wcattell/.ssh/known_hosts:3
    debug2: bits set: 505/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key:/home/wcattell/.ssh/identity ((nil))
    debug2: key:/home/wcattell/.ssh/id_rsa (0x808b510)
    debug2: key:/home/wcattell/.ssh/id_dsa ((nil))
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key:/home/wcattell/.ssh/identity
    debug1: Offering public key:/home/wcattell/.ssh/id_rsa
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continueublickey,keyboard-interactive
    debug1: Trying private key:/home/wcattell/.ssh/id_dsa
    debug2: we did not send a packet, disable method
    debug1: Next authentication method: keyboard-interactive
    debug2: userauth_kbdint
    debug2: we sent a keyboard-interactive packet, wait for reply
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied(publickey,keyboard-interactive)

    ----------

    --My public key from 2.4.22 has been copied into ~/.ssh/authorized_keys on
    xxx.xxxx.xxx(2.6.8) and vice-versa.
    --2.6.8 is running ssh-agent ok
    --2.4.22 is running ssh-agent but comes up with a message that it can't
    connect to the agent when trying to run ssh-add.
    --the /etc/ssh/sshd_config and ssh_config files are identicle between the
    two hosts.

    Any help or suggestions would be greatly appreciated.

    TIA,

    Bill


  2. Re: key auth ok one way, not the other

    On 2006-03-27, William B. Cattell wrote:
    >
    > I'm trying to get public key authentication working between two linux
    > machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
    > not the other].


    Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
    and $HOME between the two systems. See http://openssh.com/faq.html#3.14 .

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: key auth ok one way, not the other

    On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:

    > On 2006-03-27, William B. Cattell wrote:
    >>
    >> I'm trying to get public key authentication working between two linux
    >> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
    >> not the other].

    >
    > Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
    > and $HOME between the two systems. See http://openssh.com/faq.html#3.14 .


    Thanks - I've made some headway after modifying permissions. I'm still
    being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
    thinking that if I load the agent on the 2.4.22 machine that should be
    resolved. The gotcha is that I can load the agent but trying to add a key
    (or even look at the loaded keys) I get a "cannot communicate with agent".

    I'm trying a couple different things related to that. Thanks for the
    suggestion.

    Bill


  4. Re: key auth ok one way, not the other

    William B. Cattell wrote:
    > On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
    >
    >> On 2006-03-27, William B. Cattell wrote:
    >>> I'm trying to get public key authentication working between two linux
    >>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
    >>> not the other].

    >> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
    >> and $HOME between the two systems. See http://openssh.com/faq.html#3.14 .

    >
    > Thanks - I've made some headway after modifying permissions. I'm still
    > being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
    > thinking that if I load the agent on the 2.4.22 machine that should be
    > resolved. The gotcha is that I can load the agent but trying to add a key
    > (or even look at the loaded keys) I get a "cannot communicate with agent".
    >
    > I'm trying a couple different things related to that. Thanks for the
    > suggestion.


    What does /var/log/messages say on the server machine? It usually can
    tell you what is wrong. Remember that your home directory needs to be
    writable only by you (not writable by the group).

    --
    Stein Arne

  5. Re: key auth ok one way, not the other

    On Mon, 27 Mar 2006 21:34:11 +0200, Stein Arne Storslett wrote:

    > William B. Cattell wrote:
    >> On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
    >>
    >>> On 2006-03-27, William B. Cattell wrote:
    >>>> I'm trying to get public key authentication working between two linux
    >>>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
    >>>> not the other].
    >>> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
    >>> and $HOME between the two systems. See http://openssh.com/faq.html#3.14 .

    >>
    >> Thanks - I've made some headway after modifying permissions. I'm still
    >> being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
    >> thinking that if I load the agent on the 2.4.22 machine that should be
    >> resolved. The gotcha is that I can load the agent but trying to add a key
    >> (or even look at the loaded keys) I get a "cannot communicate with agent".
    >>
    >> I'm trying a couple different things related to that. Thanks for the
    >> suggestion.

    >
    > What does /var/log/messages say on the server machine? It usually can
    > tell you what is wrong. Remember that your home directory needs to be
    > writable only by you (not writable by the group).


    Thanks to Darren (and the FAQ) the permissions are fixed.
    /var/log/messages doesn't tell me anything other than it's accepted my
    public key. I've verified the public keys are correctly inserted in
    authorized_keys and the corresponding private key has (r) permissions for
    the owner only.

    If I su to root I can do an ssh-add and get the (root's) private key into
    the agent (ssh-add -l shows the fingerprint). I'm wondering if ssh-add
    needs to be suid (a bad idea, I know).

    Any thoughts / ideas?

    TIA,

    Bill



  6. Re: key auth ok one way, not the other

    On Tue, 28 Mar 2006 11:08:39 +0000, William B. Cattell wrote:

    > On Mon, 27 Mar 2006 21:34:11 +0200, Stein Arne Storslett wrote:
    >
    >> William B. Cattell wrote:
    >>> On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
    >>>
    >>>> On 2006-03-27, William B. Cattell wrote:
    >>>>> I'm trying to get public key authentication working between two linux
    >>>>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
    >>>>> not the other].
    >>>> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
    >>>> and $HOME between the two systems. See http://openssh.com/faq.html#3.14 .
    >>>
    >>> Thanks - I've made some headway after modifying permissions. I'm still
    >>> being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
    >>> thinking that if I load the agent on the 2.4.22 machine that should be
    >>> resolved. The gotcha is that I can load the agent but trying to add a key
    >>> (or even look at the loaded keys) I get a "cannot communicate with agent".
    >>>
    >>> I'm trying a couple different things related to that. Thanks for the
    >>> suggestion.

    >>
    >> What does /var/log/messages say on the server machine? It usually can
    >> tell you what is wrong. Remember that your home directory needs to be
    >> writable only by you (not writable by the group).

    >
    > Thanks to Darren (and the FAQ) the permissions are fixed.
    > /var/log/messages doesn't tell me anything other than it's accepted my
    > public key. I've verified the public keys are correctly inserted in
    > authorized_keys and the corresponding private key has (r) permissions for
    > the owner only.
    >
    > If I su to root I can do an ssh-add and get the (root's) private key into
    > the agent (ssh-add -l shows the fingerprint). I'm wondering if ssh-add
    > needs to be suid (a bad idea, I know).
    >
    > Any thoughts / ideas?
    >
    > TIA,
    >
    > Bill



    An update - I ran the agent as a user and was able to insert keys into it.
    Would each user have to run the agent ro should I be able to run it at
    startup (via r.local script) and let multiple users access it?

    TIA,

    Bill


  7. Re: key auth ok one way, not the other

    >>>>> "WBC" == William B Cattell writes:

    WBC> An update - I ran the agent as a user and was able to insert keys
    WBC> into it. Would each user have to run the agent ro should I be
    WBC> able to run it at startup (via r.local script) and let multiple
    WBC> users access it?

    The former. For security, ssh-agent requires that a client's uid match
    its own, unless the client is root, who is allowed to talk to any agent.
    This is an additional check on top of the permissions of the agent socket
    node and containing directory.

    Cf ssh-add.c; search for "getpeereid".

    --
    Richard Silverman
    res@qoxp.net


  8. Re: key auth ok one way, not the other

    On Thu, 30 Mar 2006 05:25:26 -0500, Richard E. Silverman wrote:

    >>>>>> "WBC" == William B Cattell writes:

    >
    > WBC> An update - I ran the agent as a user and was able to insert keys
    > WBC> into it. Would each user have to run the agent ro should I be
    > WBC> able to run it at startup (via r.local script) and let multiple
    > WBC> users access it?
    >
    > The former. For security, ssh-agent requires that a client's uid match
    > its own, unless the client is root, who is allowed to talk to any agent.
    > This is an additional check on top of the permissions of the agent socket
    > node and containing directory.
    >
    > Cf ssh-add.c; search for "getpeereid".


    Richard - Thanks the clearing that up. It makes sense from a security
    standpoint. I think it's working the way it's supposed to. Thanks to all
    who've responded.

    Bill

  9. Re: key auth ok one way, not the other

    On 2006-03-30, Richard E. Silverman wrote:
    > The former. For security, ssh-agent requires that a client's uid match
    > its own, unless the client is root, who is allowed to talk to any agent.
    > This is an additional check on top of the permissions of the agent socket
    > node and containing directory.
    >
    > Cf ssh-add.c; search for "getpeereid".


    Note that (in OpenSSH at least) getpeereid is a no-op on platforms that
    do not provide a way to get the info from the kernel (which is quite a
    few; those will show a warning to that effect when configure runs).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread